| OLD | NEW |
|---|
| 1 // Copyright 2013 The Chromium Authors. All rights reserved. | 1 // Copyright 2013 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "net/quic/crypto/quic_crypto_server_config.h" | 5 #include "net/quic/crypto/quic_crypto_server_config.h" |
| 6 | 6 |
| 7 #include <stdarg.h> | 7 #include <stdarg.h> |
| 8 | 8 |
| 9 #include "base/stl_util.h" | 9 #include "base/stl_util.h" |
| 10 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h" | 10 #include "net/quic/crypto/aes_128_gcm_12_encrypter.h" |
| 11 #include "net/quic/crypto/crypto_handshake_message.h" | 11 #include "net/quic/crypto/crypto_handshake_message.h" |
| 12 #include "net/quic/crypto/crypto_secret_boxer.h" | 12 #include "net/quic/crypto/crypto_secret_boxer.h" |
| 13 #include "net/quic/crypto/crypto_server_config_protobuf.h" | 13 #include "net/quic/crypto/crypto_server_config_protobuf.h" |
| 14 #include "net/quic/crypto/quic_random.h" | 14 #include "net/quic/crypto/quic_random.h" |
| 15 #include "net/quic/crypto/strike_register_client.h" | 15 #include "net/quic/crypto/strike_register_client.h" |
| 16 #include "net/quic/quic_flags.h" |
| 16 #include "net/quic/quic_time.h" | 17 #include "net/quic/quic_time.h" |
| 17 #include "net/quic/test_tools/mock_clock.h" | 18 #include "net/quic/test_tools/mock_clock.h" |
| 18 #include "net/quic/test_tools/quic_test_utils.h" | 19 #include "net/quic/test_tools/quic_test_utils.h" |
| 19 #include "testing/gmock/include/gmock/gmock.h" | 20 #include "testing/gmock/include/gmock/gmock.h" |
| 20 #include "testing/gtest/include/gtest/gtest.h" | 21 #include "testing/gtest/include/gtest/gtest.h" |
| 21 | 22 |
| 22 using base::StringPiece; | 23 using base::StringPiece; |
| 23 using std::make_pair; | 24 using std::make_pair; |
| 24 using std::map; | 25 using std::map; |
| 25 using std::pair; | 26 using std::pair; |
| (...skipping 17 matching lines...) Expand all Loading... |
| 43 return server_config_->GetConfigWithScid(config_id); | 44 return server_config_->GetConfigWithScid(config_id); |
| 44 } | 45 } |
| 45 } | 46 } |
| 46 | 47 |
| 47 bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id) { | 48 bool ConfigHasDefaultSourceAddressTokenBoxer(string config_id) { |
| 48 scoped_refptr<QuicCryptoServerConfig::Config> config = GetConfig(config_id); | 49 scoped_refptr<QuicCryptoServerConfig::Config> config = GetConfig(config_id); |
| 49 return config->source_address_token_boxer == | 50 return config->source_address_token_boxer == |
| 50 &(server_config_->default_source_address_token_boxer_); | 51 &(server_config_->default_source_address_token_boxer_); |
| 51 } | 52 } |
| 52 | 53 |
| 53 string NewSourceAddressToken( | 54 string NewSourceAddressToken(string config_id, |
| 54 string config_id, | 55 const IPEndPoint& ip, |
| 55 const IPEndPoint& ip, | 56 QuicRandom* rand, |
| 56 QuicRandom* rand, | 57 QuicWallTime now) { |
| 57 QuicWallTime now) { | |
| 58 return NewSourceAddressToken(config_id, ip, rand, now, NULL); | 58 return NewSourceAddressToken(config_id, ip, rand, now, NULL); |
| 59 } | 59 } |
| 60 | 60 |
| 61 string NewSourceAddressToken( | 61 string NewSourceAddressToken(string config_id, |
| 62 string config_id, | 62 const IPEndPoint& ip, |
| 63 const IPEndPoint& ip, | 63 QuicRandom* rand, |
| 64 QuicRandom* rand, | 64 QuicWallTime now, |
| 65 QuicWallTime now, | 65 const SourceAddressTokens& previous_tokens) { |
| 66 CachedNetworkParameters* cached_network_params) { | |
| 67 return server_config_->NewSourceAddressToken( | 66 return server_config_->NewSourceAddressToken( |
| 68 *GetConfig(config_id), ip, rand, now, cached_network_params); | 67 *GetConfig(config_id), previous_tokens, ip, rand, now, NULL); |
| 68 } |
| 69 |
| 70 string NewSourceAddressToken(string config_id, |
| 71 const IPEndPoint& ip, |
| 72 QuicRandom* rand, |
| 73 QuicWallTime now, |
| 74 CachedNetworkParameters* cached_network_params) { |
| 75 SourceAddressTokens previous_tokens; |
| 76 return server_config_->NewSourceAddressToken(*GetConfig(config_id), |
| 77 previous_tokens, ip, rand, now, |
| 78 cached_network_params); |
| 69 } | 79 } |
| 70 | 80 |
| 71 HandshakeFailureReason ValidateSourceAddressToken(string config_id, | 81 HandshakeFailureReason ValidateSourceAddressToken(string config_id, |
| 72 StringPiece srct, | 82 StringPiece srct, |
| 73 const IPEndPoint& ip, | 83 const IPEndPoint& ip, |
| 74 QuicWallTime now) { | 84 QuicWallTime now) { |
| 75 return ValidateSourceAddressToken(config_id, srct, ip, now, NULL); | 85 return ValidateSourceAddressToken(config_id, srct, ip, now, NULL); |
| 76 } | 86 } |
| 77 | 87 |
| 78 HandshakeFailureReason ValidateSourceAddressToken( | 88 HandshakeFailureReason ValidateSourceAddressToken( |
| 79 string config_id, | 89 string config_id, |
| 80 StringPiece srct, | 90 StringPiece srct, |
| 81 const IPEndPoint& ip, | 91 const IPEndPoint& ip, |
| 82 QuicWallTime now, | 92 QuicWallTime now, |
| 83 CachedNetworkParameters* cached_network_params) { | 93 CachedNetworkParameters* cached_network_params) { |
| 84 return server_config_->ValidateSourceAddressToken( | 94 return server_config_->ValidateSourceAddressToken( |
| 85 *GetConfig(config_id), srct, ip, now, cached_network_params); | 95 *GetConfig(config_id), srct, ip, now, cached_network_params); |
| 86 } | 96 } |
| 87 | 97 |
| 98 HandshakeFailureReason ValidateSourceAddressTokens(string config_id, |
| 99 StringPiece srct, |
| 100 const IPEndPoint& ip, |
| 101 QuicWallTime now) { |
| 102 return ValidateSourceAddressTokens(config_id, srct, ip, now, NULL); |
| 103 } |
| 104 |
| 105 HandshakeFailureReason ValidateSourceAddressTokens( |
| 106 string config_id, |
| 107 StringPiece srct, |
| 108 const IPEndPoint& ip, |
| 109 QuicWallTime now, |
| 110 CachedNetworkParameters* cached_network_params) { |
| 111 SourceAddressTokens tokens; |
| 112 HandshakeFailureReason reason = server_config_->ParseSourceAddressToken( |
| 113 *GetConfig(config_id), srct, &tokens); |
| 114 if (reason != HANDSHAKE_OK) { |
| 115 return reason; |
| 116 } |
| 117 |
| 118 return server_config_->ValidateSourceAddressTokens(tokens, ip, now, |
| 119 cached_network_params); |
| 120 } |
| 121 |
| 88 string NewServerNonce(QuicRandom* rand, QuicWallTime now) const { | 122 string NewServerNonce(QuicRandom* rand, QuicWallTime now) const { |
| 89 return server_config_->NewServerNonce(rand, now); | 123 return server_config_->NewServerNonce(rand, now); |
| 90 } | 124 } |
| 91 | 125 |
| 92 HandshakeFailureReason ValidateServerNonce(StringPiece token, | 126 HandshakeFailureReason ValidateServerNonce(StringPiece token, |
| 93 QuicWallTime now) { | 127 QuicWallTime now) { |
| 94 return server_config_->ValidateServerNonce(token, now); | 128 return server_config_->ValidateServerNonce(token, now); |
| 95 } | 129 } |
| 96 | 130 |
| 97 base::Lock* GetStrikeRegisterClientLock() { | 131 base::Lock* GetStrikeRegisterClientLock() { |
| (...skipping 152 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 250 TestStrikeRegisterClient* strike_register = | 284 TestStrikeRegisterClient* strike_register = |
| 251 new TestStrikeRegisterClient(&server); | 285 new TestStrikeRegisterClient(&server); |
| 252 server.SetStrikeRegisterClient(strike_register); | 286 server.SetStrikeRegisterClient(strike_register); |
| 253 | 287 |
| 254 QuicCryptoServerConfig::ConfigOptions options; | 288 QuicCryptoServerConfig::ConfigOptions options; |
| 255 scoped_ptr<CryptoHandshakeMessage>( | 289 scoped_ptr<CryptoHandshakeMessage>( |
| 256 server.AddDefaultConfig(rand, &clock, options)); | 290 server.AddDefaultConfig(rand, &clock, options)); |
| 257 EXPECT_TRUE(strike_register->is_known_orbit_called()); | 291 EXPECT_TRUE(strike_register->is_known_orbit_called()); |
| 258 } | 292 } |
| 259 | 293 |
| 260 TEST(QuicCryptoServerConfigTest, SourceAddressTokens) { | 294 class SourceAddressTokenTest : public ::testing::Test { |
| 295 public: |
| 296 SourceAddressTokenTest() |
| 297 : ip4_(IPEndPoint(Loopback4(), 1)), |
| 298 ip4_dual_(ConvertIPv4NumberToIPv6Number(ip4_.address()), 1), |
| 299 ip6_(IPEndPoint(Loopback6(), 2)), |
| 300 original_time_(QuicWallTime::Zero()), |
| 301 rand_(QuicRandom::GetInstance()), |
| 302 server_(QuicCryptoServerConfig::TESTING, rand_), |
| 303 peer_(&server_) { |
| 304 // Advance the clock to some non-zero time. |
| 305 clock_.AdvanceTime(QuicTime::Delta::FromSeconds(1000000)); |
| 306 original_time_ = clock_.WallNow(); |
| 307 |
| 308 primary_config_.reset(server_.AddDefaultConfig( |
| 309 rand_, &clock_, QuicCryptoServerConfig::ConfigOptions())); |
| 310 |
| 311 // Add a config that overrides the default boxer. |
| 312 QuicCryptoServerConfig::ConfigOptions options; |
| 313 options.id = kOverride; |
| 314 override_config_protobuf_.reset( |
| 315 QuicCryptoServerConfig::GenerateConfig(rand_, &clock_, options)); |
| 316 override_config_protobuf_->set_source_address_token_secret_override( |
| 317 "a secret key"); |
| 318 // Lower priority than the default config. |
| 319 override_config_protobuf_->set_priority(1); |
| 320 override_config_.reset( |
| 321 server_.AddConfig(override_config_protobuf_.get(), original_time_)); |
| 322 } |
| 323 |
| 261 const string kPrimary = "<primary>"; | 324 const string kPrimary = "<primary>"; |
| 262 const string kOverride = "Config with custom source address token key"; | 325 const string kOverride = "Config with custom source address token key"; |
| 263 | 326 |
| 264 MockClock clock; | 327 IPEndPoint ip4_; |
| 265 clock.AdvanceTime(QuicTime::Delta::FromSeconds(1000000)); | 328 IPEndPoint ip4_dual_; |
| 266 | 329 IPEndPoint ip6_; |
| 267 QuicWallTime now = clock.WallNow(); | 330 |
| 268 const QuicWallTime original_time = now; | 331 MockClock clock_; |
| 269 | 332 QuicWallTime original_time_; |
| 270 QuicRandom* rand = QuicRandom::GetInstance(); | 333 QuicRandom* rand_ = QuicRandom::GetInstance(); |
| 271 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand); | 334 QuicCryptoServerConfig server_; |
| 272 QuicCryptoServerConfigPeer peer(&server); | 335 QuicCryptoServerConfigPeer peer_; |
| 273 | 336 // Stores the primary config. |
| 274 scoped_ptr<CryptoHandshakeMessage>( | 337 scoped_ptr<CryptoHandshakeMessage> primary_config_; |
| 275 server.AddDefaultConfig(rand, &clock, | 338 scoped_ptr<QuicServerConfigProtobuf> override_config_protobuf_; |
| 276 QuicCryptoServerConfig::ConfigOptions())); | 339 scoped_ptr<CryptoHandshakeMessage> override_config_; |
| 277 | 340 }; |
| 278 // Add a config that overrides the default boxer. | 341 |
| 279 QuicCryptoServerConfig::ConfigOptions options; | 342 TEST_F(SourceAddressTokenTest, SourceAddressToken) { |
| 280 options.id = kOverride; | 343 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 281 scoped_ptr<QuicServerConfigProtobuf> protobuf( | 344 false); |
| 282 QuicCryptoServerConfig::GenerateConfig(rand, &clock, options)); | 345 |
| 283 protobuf->set_source_address_token_secret_override("a secret key"); | 346 QuicWallTime now = clock_.WallNow(); |
| 284 // Lower priority than the default config. | 347 |
| 285 protobuf->set_priority(1); | 348 EXPECT_TRUE(peer_.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary)); |
| 286 scoped_ptr<CryptoHandshakeMessage>( | 349 EXPECT_FALSE(peer_.ConfigHasDefaultSourceAddressTokenBoxer(kOverride)); |
| 287 server.AddConfig(protobuf.get(), now)); | |
| 288 | |
| 289 EXPECT_TRUE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kPrimary)); | |
| 290 EXPECT_FALSE(peer.ConfigHasDefaultSourceAddressTokenBoxer(kOverride)); | |
| 291 | |
| 292 IPEndPoint ip4 = IPEndPoint(Loopback4(), 1); | |
| 293 IPEndPoint ip4d = IPEndPoint(ConvertIPv4NumberToIPv6Number(ip4.address()), 1); | |
| 294 IPEndPoint ip6 = IPEndPoint(Loopback6(), 2); | |
| 295 | 350 |
| 296 // Primary config generates configs that validate successfully. | 351 // Primary config generates configs that validate successfully. |
| 297 const string token4 = peer.NewSourceAddressToken(kPrimary, ip4, rand, now); | 352 const string token4 = peer_.NewSourceAddressToken(kPrimary, ip4_, rand_, now); |
| 298 const string token4d = peer.NewSourceAddressToken(kPrimary, ip4d, rand, now); | 353 const string token4d = |
| 299 const string token6 = peer.NewSourceAddressToken(kPrimary, ip6, rand, now); | 354 peer_.NewSourceAddressToken(kPrimary, ip4_dual_, rand_, now); |
| 300 EXPECT_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 355 const string token6 = peer_.NewSourceAddressToken(kPrimary, ip6_, rand_, now); |
| 301 kPrimary, token4, ip4, now)); | 356 EXPECT_EQ(HANDSHAKE_OK, |
| 302 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 357 peer_.ValidateSourceAddressToken(kPrimary, token4, ip4_, now)); |
| 303 kPrimary, token4, ip4d, now)); | 358 ASSERT_EQ(HANDSHAKE_OK, |
| 304 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, | 359 peer_.ValidateSourceAddressToken(kPrimary, token4, ip4_dual_, now)); |
| 305 peer.ValidateSourceAddressToken(kPrimary, token4, ip6, now)); | 360 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 306 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 361 peer_.ValidateSourceAddressToken(kPrimary, token4, ip6_, now)); |
| 307 kPrimary, token4d, ip4, now)); | 362 ASSERT_EQ(HANDSHAKE_OK, |
| 308 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 363 peer_.ValidateSourceAddressToken(kPrimary, token4d, ip4_, now)); |
| 309 kPrimary, token4d, ip4d, now)); | 364 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressToken(kPrimary, token4d, |
| 310 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, | 365 ip4_dual_, now)); |
| 311 peer.ValidateSourceAddressToken(kPrimary, token4d, ip6, now)); | 366 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 312 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 367 peer_.ValidateSourceAddressToken(kPrimary, token4d, ip6_, now)); |
| 313 kPrimary, token6, ip6, now)); | 368 ASSERT_EQ(HANDSHAKE_OK, |
| 369 peer_.ValidateSourceAddressToken(kPrimary, token6, ip6_, now)); |
| 314 | 370 |
| 315 // Override config generates configs that validate successfully. | 371 // Override config generates configs that validate successfully. |
| 316 const string override_token4 = peer.NewSourceAddressToken( | 372 const string override_token4 = |
| 317 kOverride, ip4, rand, now); | 373 peer_.NewSourceAddressToken(kOverride, ip4_, rand_, now); |
| 318 const string override_token6 = peer.NewSourceAddressToken( | 374 const string override_token6 = |
| 319 kOverride, ip6, rand, now); | 375 peer_.NewSourceAddressToken(kOverride, ip6_, rand_, now); |
| 320 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 376 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressToken( |
| 321 kOverride, override_token4, ip4, now)); | 377 kOverride, override_token4, ip4_, now)); |
| 322 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, | 378 ASSERT_EQ( |
| 323 peer.ValidateSourceAddressToken(kOverride, override_token4, ip6, | 379 SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 324 now)); | 380 peer_.ValidateSourceAddressToken(kOverride, override_token4, ip6_, now)); |
| 325 DCHECK_EQ(HANDSHAKE_OK, peer.ValidateSourceAddressToken( | 381 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressToken( |
| 326 kOverride, override_token6, ip6, now)); | 382 kOverride, override_token6, ip6_, now)); |
| 327 | 383 |
| 328 // Tokens generated by the primary config do not validate | 384 // Tokens generated by the primary config do not validate |
| 329 // successfully against the override config, and vice versa. | 385 // successfully against the override config, and vice versa. |
| 330 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, | 386 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 331 peer.ValidateSourceAddressToken(kOverride, token4, ip4, now)); | 387 peer_.ValidateSourceAddressToken(kOverride, token4, ip4_, now)); |
| 332 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, | 388 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 333 peer.ValidateSourceAddressToken(kOverride, token6, ip6, now)); | 389 peer_.ValidateSourceAddressToken(kOverride, token6, ip6_, now)); |
| 334 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, | 390 ASSERT_EQ( |
| 335 peer.ValidateSourceAddressToken(kPrimary, override_token4, ip4, | 391 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 336 now)); | 392 peer_.ValidateSourceAddressToken(kPrimary, override_token4, ip4_, now)); |
| 337 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, | 393 ASSERT_EQ( |
| 338 peer.ValidateSourceAddressToken(kPrimary, override_token6, ip6, | 394 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 339 now)); | 395 peer_.ValidateSourceAddressToken(kPrimary, override_token6, ip6_, now)); |
| 396 } |
| 397 |
| 398 TEST_F(SourceAddressTokenTest, SourceAddressTokenExpiration) { |
| 399 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 400 false); |
| 401 |
| 402 QuicWallTime now = clock_.WallNow(); |
| 403 |
| 404 const string token = peer_.NewSourceAddressToken(kPrimary, ip4_, rand_, now); |
| 340 | 405 |
| 341 // Validation fails after tokens expire. | 406 // Validation fails after tokens expire. |
| 342 now = original_time.Add(QuicTime::Delta::FromSeconds(86400 * 7)); | 407 now = original_time_.Add(QuicTime::Delta::FromSeconds(86400 * 7)); |
| 343 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE, | 408 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE, |
| 344 peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now)); | 409 peer_.ValidateSourceAddressToken(kPrimary, token, ip4_, now)); |
| 345 | 410 |
| 346 now = original_time.Subtract(QuicTime::Delta::FromSeconds(3600 * 2)); | 411 now = original_time_.Subtract(QuicTime::Delta::FromSeconds(3600 * 2)); |
| 347 DCHECK_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE, | 412 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE, |
| 348 peer.ValidateSourceAddressToken(kPrimary, token4, ip4, now)); | 413 peer_.ValidateSourceAddressToken(kPrimary, token, ip4_, now)); |
| 414 } |
| 415 |
| 416 TEST_F(SourceAddressTokenTest, SourceAddressTokenWithNetworkParams) { |
| 417 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 418 false); |
| 419 |
| 420 QuicWallTime now = clock_.WallNow(); |
| 349 | 421 |
| 350 // Make sure that if the source address token contains CachedNetworkParameters | 422 // Make sure that if the source address token contains CachedNetworkParameters |
| 351 // that this gets written to ValidateSourceAddressToken output argument. | 423 // that this gets written to ValidateSourceAddressToken output argument. |
| 352 CachedNetworkParameters cached_network_params_input; | 424 CachedNetworkParameters cached_network_params_input; |
| 353 cached_network_params_input.set_bandwidth_estimate_bytes_per_second(1234); | 425 cached_network_params_input.set_bandwidth_estimate_bytes_per_second(1234); |
| 354 const string token4_with_cached_network_params = peer.NewSourceAddressToken( | 426 const string token4_with_cached_network_params = peer_.NewSourceAddressToken( |
| 355 kPrimary, ip4, rand, now, &cached_network_params_input); | 427 kPrimary, ip4_, rand_, now, &cached_network_params_input); |
| 356 | 428 |
| 357 CachedNetworkParameters cached_network_params_output; | 429 CachedNetworkParameters cached_network_params_output; |
| 358 EXPECT_NE(cached_network_params_output, cached_network_params_input); | 430 #if 0 |
| 359 peer.ValidateSourceAddressToken(kPrimary, token4_with_cached_network_params, | 431 // TODO(rtenneti): For server, enable the following check after serialization |
| 360 ip4, now, &cached_network_params_output); | 432 // of optional CachedNetworkParameters is implemented. |
| 361 // TODO(rtenneti): For server, enable the following check after serialization | 433 EXPECT_NE(cached_network_params_output.DebugString(), |
| 362 // of optional CachedNetworkParameters is implemented. | 434 cached_network_params_input.DebugString()); |
| 363 // EXPECT_EQ(cached_network_params_output, cached_network_params_input); | 435 #endif |
| 436 peer_.ValidateSourceAddressToken(kPrimary, token4_with_cached_network_params, |
| 437 ip4_, now, &cached_network_params_output); |
| 438 #if 0 |
| 439 // TODO(rtenneti): For server, enable the following check after serialization |
| 440 // of optional CachedNetworkParameters is implemented. |
| 441 EXPECT_EQ(cached_network_params_output.DebugString(), |
| 442 cached_network_params_input.DebugString()); |
| 443 #endif |
| 444 } |
| 445 |
| 446 // Test basic behavior of source address tokens including being specific |
| 447 // to a single IP address and server config. |
| 448 // |
| 449 // TODO(rtenneti): For server, enable the following test after serialization of |
| 450 // SourceAddressTokens is implemented. |
| 451 TEST_F(SourceAddressTokenTest, DISABLED_NewSourceAddressToken) { |
| 452 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 453 true); |
| 454 |
| 455 QuicWallTime now = clock_.WallNow(); |
| 456 |
| 457 // Primary config generates configs that validate successfully. |
| 458 const string token4 = peer_.NewSourceAddressToken(kPrimary, ip4_, rand_, now); |
| 459 const string token4d = |
| 460 peer_.NewSourceAddressToken(kPrimary, ip4_dual_, rand_, now); |
| 461 const string token6 = peer_.NewSourceAddressToken(kPrimary, ip6_, rand_, now); |
| 462 EXPECT_EQ(HANDSHAKE_OK, |
| 463 peer_.ValidateSourceAddressTokens(kPrimary, token4, ip4_, now)); |
| 464 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressTokens(kPrimary, token4, |
| 465 ip4_dual_, now)); |
| 466 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 467 peer_.ValidateSourceAddressTokens(kPrimary, token4, ip6_, now)); |
| 468 ASSERT_EQ(HANDSHAKE_OK, |
| 469 peer_.ValidateSourceAddressTokens(kPrimary, token4d, ip4_, now)); |
| 470 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressTokens(kPrimary, token4d, |
| 471 ip4_dual_, now)); |
| 472 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 473 peer_.ValidateSourceAddressTokens(kPrimary, token4d, ip6_, now)); |
| 474 ASSERT_EQ(HANDSHAKE_OK, |
| 475 peer_.ValidateSourceAddressTokens(kPrimary, token6, ip6_, now)); |
| 476 |
| 477 // Override config generates configs that validate successfully. |
| 478 const string override_token4 = |
| 479 peer_.NewSourceAddressToken(kOverride, ip4_, rand_, now); |
| 480 const string override_token6 = |
| 481 peer_.NewSourceAddressToken(kOverride, ip6_, rand_, now); |
| 482 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressTokens( |
| 483 kOverride, override_token4, ip4_, now)); |
| 484 ASSERT_EQ( |
| 485 SOURCE_ADDRESS_TOKEN_DIFFERENT_IP_ADDRESS_FAILURE, |
| 486 peer_.ValidateSourceAddressTokens(kOverride, override_token4, ip6_, now)); |
| 487 ASSERT_EQ(HANDSHAKE_OK, peer_.ValidateSourceAddressTokens( |
| 488 kOverride, override_token6, ip6_, now)); |
| 489 |
| 490 // Tokens generated by the primary config do not validate |
| 491 // successfully against the override config, and vice versa. |
| 492 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 493 peer_.ValidateSourceAddressTokens(kOverride, token4, ip4_, now)); |
| 494 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 495 peer_.ValidateSourceAddressTokens(kOverride, token6, ip6_, now)); |
| 496 ASSERT_EQ( |
| 497 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 498 peer_.ValidateSourceAddressTokens(kPrimary, override_token4, ip4_, now)); |
| 499 ASSERT_EQ( |
| 500 SOURCE_ADDRESS_TOKEN_DECRYPTION_FAILURE, |
| 501 peer_.ValidateSourceAddressTokens(kPrimary, override_token6, ip6_, now)); |
| 502 } |
| 503 |
| 504 // TODO(rtenneti): For server, enable the following test after serialization of |
| 505 // SourceAddressTokens is implemented. |
| 506 TEST_F(SourceAddressTokenTest, DISABLED_NewSourceAddressTokenExpiration) { |
| 507 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 508 true); |
| 509 |
| 510 QuicWallTime now = clock_.WallNow(); |
| 511 |
| 512 const string token = peer_.NewSourceAddressToken(kPrimary, ip4_, rand_, now); |
| 513 |
| 514 // Validation fails after tokens expire. |
| 515 now = original_time_.Add(QuicTime::Delta::FromSeconds(86400 * 7)); |
| 516 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_EXPIRED_FAILURE, |
| 517 peer_.ValidateSourceAddressTokens(kPrimary, token, ip4_, now)); |
| 518 |
| 519 now = original_time_.Subtract(QuicTime::Delta::FromSeconds(3600 * 2)); |
| 520 ASSERT_EQ(SOURCE_ADDRESS_TOKEN_CLOCK_SKEW_FAILURE, |
| 521 peer_.ValidateSourceAddressTokens(kPrimary, token, ip4_, now)); |
| 522 } |
| 523 |
| 524 TEST_F(SourceAddressTokenTest, NewSourceAddressTokenWithNetworkParams) { |
| 525 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 526 true); |
| 527 |
| 528 QuicWallTime now = clock_.WallNow(); |
| 529 |
| 530 // Make sure that if the source address token contains CachedNetworkParameters |
| 531 // that this gets written to ValidateSourceAddressToken output argument. |
| 532 CachedNetworkParameters cached_network_params_input; |
| 533 cached_network_params_input.set_bandwidth_estimate_bytes_per_second(1234); |
| 534 const string token4_with_cached_network_params = peer_.NewSourceAddressToken( |
| 535 kPrimary, ip4_, rand_, now, &cached_network_params_input); |
| 536 |
| 537 CachedNetworkParameters cached_network_params_output; |
| 538 #if 0 |
| 539 // TODO(rtenneti): For server, enable the following check after serialization |
| 540 // of optional CachedNetworkParameters is implemented. |
| 541 EXPECT_NE(cached_network_params_output.DebugString(), |
| 542 cached_network_params_input.DebugString()); |
| 543 #endif |
| 544 peer_.ValidateSourceAddressTokens(kPrimary, token4_with_cached_network_params, |
| 545 ip4_, now, &cached_network_params_output); |
| 546 #if 0 |
| 547 // TODO(rtenneti): For server, enable the following check after serialization |
| 548 // of optional CachedNetworkParameters is implemented. |
| 549 EXPECT_EQ(cached_network_params_output.DebugString(), |
| 550 cached_network_params_input.DebugString()); |
| 551 #endif |
| 552 } |
| 553 |
| 554 // Test the ability for a source address token to be valid for multiple |
| 555 // addresses. |
| 556 // |
| 557 // TODO(rtenneti): For server, enable the following test after serialization of |
| 558 // SourceAddressTokens is implemented. |
| 559 TEST_F(SourceAddressTokenTest, DISABLED_SourceAddressTokenMultipleAddresses) { |
| 560 ValueRestore<bool> old_flag(&FLAGS_quic_use_multiple_address_in_source_tokens, |
| 561 true); |
| 562 |
| 563 QuicWallTime now = clock_.WallNow(); |
| 564 |
| 565 // Now create a token which is usable for both addresses. |
| 566 SourceAddressToken previous_token; |
| 567 IPAddressNumber ip_address = ip6_.address(); |
| 568 if (ip6_.GetSockAddrFamily() == AF_INET) { |
| 569 ip_address = ConvertIPv4NumberToIPv6Number(ip_address); |
| 570 } |
| 571 previous_token.set_ip(IPAddressToPackedString(ip_address)); |
| 572 previous_token.set_timestamp(now.ToUNIXSeconds()); |
| 573 SourceAddressTokens previous_tokens; |
| 574 (*previous_tokens.add_tokens()) = previous_token; |
| 575 const string token4or6 = |
| 576 peer_.NewSourceAddressToken(kPrimary, ip4_, rand_, now, previous_tokens); |
| 577 |
| 578 EXPECT_EQ(HANDSHAKE_OK, |
| 579 peer_.ValidateSourceAddressTokens(kPrimary, token4or6, ip4_, now)); |
| 580 ASSERT_EQ(HANDSHAKE_OK, |
| 581 peer_.ValidateSourceAddressTokens(kPrimary, token4or6, ip6_, now)); |
| 364 } | 582 } |
| 365 | 583 |
| 366 TEST(QuicCryptoServerConfigTest, ValidateServerNonce) { | 584 TEST(QuicCryptoServerConfigTest, ValidateServerNonce) { |
| 367 QuicRandom* rand = QuicRandom::GetInstance(); | 585 QuicRandom* rand = QuicRandom::GetInstance(); |
| 368 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand); | 586 QuicCryptoServerConfig server(QuicCryptoServerConfig::TESTING, rand); |
| 369 QuicCryptoServerConfigPeer peer(&server); | 587 QuicCryptoServerConfigPeer peer(&server); |
| 370 | 588 |
| 371 StringPiece message("hello world"); | 589 StringPiece message("hello world"); |
| 372 const size_t key_size = CryptoSecretBoxer::GetKeySize(); | 590 const size_t key_size = CryptoSecretBoxer::GetKeySize(); |
| 373 scoped_ptr<uint8[]> key(new uint8[key_size]); | 591 scoped_ptr<uint8[]> key(new uint8[key_size]); |
| (...skipping 318 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 692 nullptr); | 910 nullptr); |
| 693 test_peer_.CheckConfigs( | 911 test_peer_.CheckConfigs( |
| 694 "a", false, | 912 "a", false, |
| 695 "b", true, | 913 "b", true, |
| 696 "c", false, | 914 "c", false, |
| 697 nullptr); | 915 nullptr); |
| 698 } | 916 } |
| 699 | 917 |
| 700 } // namespace test | 918 } // namespace test |
| 701 } // namespace net | 919 } // namespace net |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 822713002:
Update from https://crrev.com/309415 (Closed)
Base URL: https://github.com/domokit/mojo.git@master